Think like a hacker

By Jeff Feinman

February 15, 2009 — (Page 3 of 6)
“You get a secure product by following a secure development life cycle. You don’t get it by testing,” Fisher said. “It’s all about the notion of software security not coming from the outside in; it comes from the inside out.”

Adding security to the cycle
There is a great deal of talk in the software industry about making sure security is instilled throughout the software development life cycle, but there is no guarantee that such talk translates to action. However, Weider said IBM Rational has seen “an evolutionary approach,” where the security team looks to improve the security of the applications at the beginning of the development process.

“That works well to begin with, to have sort of a gatekeeper, but that also has the potential to become a bottleneck in that there’re very few security people, but there are hundreds or thousands of developers,” Weider said. “With the movement to agile approaches [that have] many smaller iterations, having that testing at the end of the process doesn’t make as much sense as having it embedded throughout the process.”

An agile process caters well to the idea of implementing security throughout the development life cycle because the concept calls for testing in each iteration, Weider explained. In the past, security testing has been something done last minute, and it was typical for testers to find a glaring vulnerability that would take weeks or a month to fix. The tester would then be left with the sticky situation of either delaying the release to fix the vulnerability, or looking the other way and letting the application go live with known bugs. Because of that, Weider said, there has been a push to integrate security testing into earlier phases of development.

One of the things IBM Rational is trying to do is to integrate security within development tools in such a way that it becomes a part of how an application is built, rather than something that’s bolted on after the software is developed.

Related Search Term(s): professional development, security, testing, IBM, Fortify, Klocwork, Vi Labs

Pages 1 2 3 4 5 6

Share this link: http://sdt.bz/33274

Technorati

Digg

Slashdot

Facebook

Friendfeed

Twitter

del.icio.us

Application security, IBM style Jack Danahy, founder of Ounce Labs, discusses acquisitions by IBM and what he sees in the security space

News Briefs: November 15, 2008 Metaforic comes out with a new security product for monitoring networks, ICEsoft and ILOG announce that they are merging their technologies for later releases, and Urbancode adds pre-flight builds for testers to AnthillPro.

IBM acquires security testing company Ounce Labs Ounce's source code analysis software is expected to extend IBM’s application security and compliance products.

Comments

06/23/2009 10:30:01 AM EST

On a related note and for similar content, see our book "The Art of Software Security Testing" published in 2006 http://www.amazon.com/Art-Software-Security-Testing-Identifying/dp/0321304861/ref=ntt_at_ep_dpt_2, for example chapters 1, pg 11 "Think like an Attacker" and chapter 3 "The Secure Software Development Lifecycle"

United StatesElfriede Dustin